diff --git a/ChangeLog b/ChangeLog
index 232fe38c9..d80564d1b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15,6 +15,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 - bug #1662976 [auth] Authentication fails when controluser/pass is set
 - bug #1643758 [import] Error #1264 importing NULL values in MySQL 5.0
 - bug #1523747 [innodb] make warning about row count more visible
+- bug #1676012 [auth] strip non-US-ASCII characters (RFC2616) 
 - [gui] avoid displaying a wide selector in server selection
 + [core] added PMA_fatalError() and made use of it
 . [core] added PMA_isValid() and PMA_ifSetOr() for variable handling
diff --git a/Documentation.html b/Documentation.html
index 7b9c0e211..a69d719ba 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -766,7 +766,8 @@ GRANT ALL PRIVILEGES ON user_base.* TO 'real_user'@localhost IDENTIFIED BY 'real
     <dd>Only useful when using phpMyAdmin with multiple server entries. If set,
         this string will be displayed instead of the hostname in the pull-down
         menu on the main page. This can be useful if you want to show only
-        certain databases on your system, for example.</dd>
+	certain databases on your system, for example. For HTTP auth, all 
+	non-US-ASCII characters will be stripped.</dd>
 
     <dt id="pmadb">
         <span id="cfg_Servers_pmadb">$cfg['Servers'][$i]['pmadb']</span> string
diff --git a/libraries/auth/http.auth.lib.php b/libraries/auth/http.auth.lib.php
index 2a4250430..404146d64 100644
--- a/libraries/auth/http.auth.lib.php
+++ b/libraries/auth/http.auth.lib.php
@@ -27,7 +27,14 @@ function PMA_auth() {
         exit;
     }
 
-    header('WWW-Authenticate: Basic realm="phpMyAdmin ' . sprintf($GLOBALS['strRunning'], (empty($GLOBALS['cfg']['Server']['verbose']) ? str_replace('\'', '\\\'', $GLOBALS['cfg']['Server']['host']) : str_replace('\'', '\\\'', $GLOBALS['cfg']['Server']['verbose']))) .  '"');
+    if (empty($GLOBALS['cfg']['Server']['verbose'])) {
+        $server_message = $GLOBALS['cfg']['Server']['host'];
+    } else {
+        $server_message = $GLOBALS['cfg']['Server']['verbose'];
+    }
+    // remove non US-ASCII to respect RFC2616
+    $server_message = preg_replace('/[^\x20-\x7e]/i', '', $server_message);
+    header('WWW-Authenticate: Basic realm="phpMyAdmin ' . $server_message .  '"');
     header('HTTP/1.0 401 Unauthorized');
     header('status: 401 Unauthorized');
 
diff --git a/libraries/config.default.php b/libraries/config.default.php
index d72110740..a8bacfdc2 100644
--- a/libraries/config.default.php
+++ b/libraries/config.default.php
@@ -200,6 +200,7 @@ $cfg['Servers'][$i]['hide_db'] = '';
 
 /**
  * Verbose name for this host - leave blank to show the hostname
+ * (for HTTP auth, all non-US-ASCII characters will be stripped)
  *
  * @global string $cfg['Servers'][$i]['verbose']
  */